The Insider Menace

95% of insider threats are usually men.

Insiders that communicate and facilitate adversary groups are typically trusted male employees, which is constituted by some sense of failure in their life or need of money and lack of success which still outlines to that sense of failure.

During majority of the engagements and CNE operations, OnNet CNO team develops and collects intelligence on the insider threats involved and usually ends up identifying, a male between the ages of 28-40 years old.

Kenyan AFTs

The six threat actors OnNet tracks in Kenyan are Nairobi based financial groups that broke up from the primary AFT, and all five of them have the same TTPs when they approach insiders except SilentCards.

SilentCards approaches anyone with physical access to the building often involving guards and janitors and then offers them money. The insider assists them with the delivery of a rogue laptop to the institution’s building.

With Examples

We have witnessed a Janitor/Cleaner photograph statements and software queries from an office late in the evening and send them to an AFT operator via social media as seen below.

Such surveillance helps the AFTs’ to understand the banking software used by the Financial institution.

The same AFTs have used a communications officer in a different instituton to get names of all Western Union tellers, their usernames and emails as seen below.

Though Forkbombo used to work well with SilentCards over a couple years, predominantly the former concentrate on the personnel with an ICT background, collecting OSINT on the subject via LinkedIn, Facebook and other Social media platforms. Then in no time, they will communicate with him, to assist with installation of RUT backdoor. We have witnessed them approach an Accountant with some ICT background as stated on his LinkedIn profile, and such malicious insider would not only aid with the backdoor installation but forward copies of email threads so that the AFTs can understand the inner working of the banks systems.

The screenshot below shows a thread that was forwarded over to the AFTs.

Several batches are usually forwarded depending on the demand.

Some emails contain balances during loan heists when the AFT needs to understand how loans are paid and the organization’s/client’s with bigger credit.

This was a big Modus Operandi for another Threat group OnNet tracks codenamed GrapZone which specialized in loan sabotage, credit manipulation and bill de-credit operations.


Getting statement details for accounts with huge loans was a major MO used by Grapzone, to clear loans quietly little by little without getting noticed.

Computer Network Defense

With the insider threats growing and evading several security checks, a lot of institutions are under attacks everyday.

Building a framework to spy (DITU) or setting up UEBA solutions on the employees can get disastrous and expensive, rather educating them and establishing a culture of accountability can minimize such risks and inflict less harm to the organization already targeted by the AFTs.

Leave a Reply

Your email address will not be published. Required fields are marked *